"It appears that it's an Apple issue," Soltani told Ars, referring to the inability to enable HTTPS when Apple's Address Book is updated to a user's Gmail account. "Their other products support Gmail via HTTPS, so I suspect it would be a three-line fix in the contacts to alleviate this problem."

Once the current version of Address Book is configured to sync with Google's popular e-mail service, the Apple app checked in about once an hour on Macs Soltani tested. Any time the app contained an address not found in Gmail, it would send the data unencrypted. Interestingly, the program uses the HTTPS protocol to cryptographically authenticate the machine advertising itself as a Gmail server, but the app goes on to send the addresses in plain text over an unencrypted HTTP connection, he said.

According to The Washington Post, the NSA’s Special Source Operations branch collected 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, and 33,697 from Gmail during a single day last year. The comparatively low number of contact lists acquired from Gmail is noteworthy considering it is among the most widely used online e-mail services. A key contributor to that low rate is almost certainly Google's default use of HTTPS to encrypt e-mail traffic. Soltani said the protection is not available unless applications that connect to Gmail support encryption. The application programming interface (API) that makes that capability possible is missing from Apple's address book, he added.

"There's still a lot of areas where developers just rely on insecure APIs, and this data shows that," he told Ars. Soltani said he found no evidence that Thunderbird and other popular apps didn't provide a way to encrypt data when working with Gmail.

Cryptography expert and security analyst Bruce Schneier said in a recent blog post that NSA spies acquire the address lists by tapping the Internet backbone.

"Once they have the data, they have powerful packet inspectors—code names include TUMULT, TURBULENCE, and TURMOIL—that run a bunch of different identification and copying systems," he wrote. "One of them, code name unknown, searches for these contact lists and copies them. Google, Yahoo, Microsoft, etc., have no idea that this is happening, nor have they consented to their data being harvested in this way."

Apple representatives didn't respond to an e-mail seeking comment for this post.

Given that Gmail will quite happily hand over the entire address book to the NSA anyway, I fail to see the extra privacy 'harm' caused by this.

The main problem is you don't need to be the NSA to pop Kisemt in that Starbucks and sniff out all Address Book traffic around. After that it will be much easier to make a targeted social engineering attack against people in that Address Book.

It's like to say "As the NSA can pick my house's door I won't lock it anymore".

One of the few things Apple does very poorly is continue to iterate to improve their lower-profile software. For example, they haven't done anything to iWork on the Mac (except make it cloud-based and available on the web) in over four years. iCal and Address Book suffer from the same lack of attention, and the contact syncing is just one weakness resulting from the lack of resources given to them.

Not a surprise. Next question is why are we still using old versions of SSL and TLS? Is that something the NSA has been doing behind the scenes - compelling major companies to stick with the old encryption standards that they have exploits for?

The Contact app on the Mac is probably one of the worst applications I've encountered on the Mac. This security vulnerability just adds to the mountain of problems associated with it. *CardDAV isn't fully integrated into the Google account setup options. *Labels don't sync properly. *Social profiles on Contacts don't sync with Google. *Email labels reset themselves from Other to Email. *Groups don't sync. *You can't search for groups (or tags). *Some custom fields don't sync. *No support for the vCard 4.0 standard. *Sharing options are limited (it's all or nothing). *Nothing innovative when it comes to sharing data among friends and family. (You can't, for example, share a contact, and have it automatically update on their device everytime you update yours.)*You can't IM directly from the Address book (only iMessage). *Pictures sync from Mac to Google at a lower resolution, and they're so small as to be meaningless. Constant syncing can lead to some heavily pixelated pics. *Some data can't be deleted unless you go onto Google and do it from there. *Can't see what dupes you're merging. *Managing multiple accounts is a chore, and linking all the dupes is a pain. *Data inexplicably and occasionally changes itself during the sync. *It looks awful.

It's been basically the same forever. I've lost quite a few hours of my life trying to manage the mess that is Contacts, and it's why I largely use Cobook.

Mostly this stems from Apple's laziness at making their product play well with other services. Devices are thinner and smaller, but the software is still crap.

The story title is a bit overly sensational isn't it? It's not enough to point out a security weakness in Apple's software, we have to link it to the NSA spying too? The NSA angle feels pretty forced.

Also, "... no evidence that Thunderbird and other popular apps didn't find a way to encrypt data when working with Gmail." The double negative hurts my head to the point where I'm honestly not sure if other apps do or don't use encryption.

The story title is a bit overly sensational isn't it? It's not enough to point out a security weakness in Apple's software, we have to link it to the NSA spying too? The NSA angle feels pretty forced.

Also, "... no evidence that Thunderbird and other popular apps didn't find a way to encrypt data when working with Gmail." The double negative hurts my head to the point where I'm honestly not sure if other apps do or don't use encryption.

Let's put that in context. The NSA analyses contact lists from all major mail/OS services and collects the data. This is a case where they can just read the traffic without decryption effort. You would be extremely naive to think they aren't collecting data from this source gratefully already.

The story title is a bit overly sensational isn't it? It's not enough to point out a security weakness in Apple's software, we have to link it to the NSA spying too? The NSA angle feels pretty forced.

Also, "... no evidence that Thunderbird and other popular apps didn't find a way to encrypt data when working with Gmail." The double negative hurts my head to the point where I'm honestly not sure if other apps do or don't use encryption.

Let's put that in context. The NSA analyses contact lists from all major mail/OS services and collects the data. This is a case where they can just read the traffic without decryption effort. You would be extremely naive to think they aren't collecting data from this source gratefully already.

And the FBI exploited a bug in firefox to help them shut down Silk Road. ...so... And? This is a general vulnerability that the author is trying so hard to link with the NSA.

As stated in the first paragraph of this post, the observation about the lack of HTTPS protection in Address Book was made in last week's Washington Post article about the NSA harvesting hundreds of millions of email contact lists from Gmail, Yahoo and other services. Given the context, tying this syncing weakness to NSA surveillance is entirely appropriate. It shows just what's at stake when developers don't follow best practices.

Also, if any critics have evidence of any other mail program failing to offer a way to HTTPS protect address books, please speak up. Otherwise, I don't think it's too hard to parse the point of this article: Address Book is the only one that has this problem.

As stated in the first paragraph of this post, the observation about the lack of HTTPS protection in Address Book was made in last week's Washington Post article about the NSA harvesting hundreds of millions of email contact lists from Gmail, Yahoo and other services. Given the context, tying this syncing weakness to NSA surveillance is entirely appropriate. It shows just what's at stake when developers don't follow best practices.

Also, if any critics have evidence of any other mail program failing to offer a way to HTTPS protect address books, please speak up. Otherwise, I don't think it's too hard to parse the point of this article: Address Book is the only one that has this problem.

You could still mention the NSA in all future and past discovered vulnerabilities in every software and service open to the public. But what is the point anymore?

For instance, according to wikipedia :

Quote:

iCloud data is kept encrypted on Apple servers, but Apple maintains a master key and can decrypt it when requested by government agencies.[62]

It does not makes a difference really if the government request to these companies the master key. And subpoena could be enough since the contact list is just a list of recipients that is going to fill the (To:____) field of your emails, and that is metadata. Remember that data about the content is not a private data.

If this is just about privacy , well , google is going to read your contacts and your emails anyways. Let alone more than 20 years of insecure communications in the internet, including but not limited to emails, until very recently

So one solution would be to not synchronize the address book to Google?

I can live with that, indeed, find it quite easy to use the mail apps on my phone & laptop without telling Google who I communicate with. As far as I can tell, I never *have* synchronized my stuff to Google, despite using a GMail address.

I'm no fan of NSA's spying, but I'm even less of a fan of an aggressive data aggregator that has repeatedly misused client information, or sprung surprise uses of our data, either. Come to think of it, given my rather banal history of protests that don't rise to NSA level of concerns, it's much more likely that Google will make my life worse via their use of the data, than that NSA will.

PS: here's a tip for folks: if you don't want the NSA aware of your internet/web information, you're doing it wrong. You don't have any direct control of whether they get your stuff. Other corporations, etc., you DO have a choice!

The story title is a bit overly sensational isn't it? It's not enough to point out a security weakness in Apple's software, we have to link it to the NSA spying too? The NSA angle feels pretty forced.

Also, "... no evidence that Thunderbird and other popular apps didn't find a way to encrypt data when working with Gmail." The double negative hurts my head to the point where I'm honestly not sure if other apps do or don't use encryption.

Let's put that in context. The NSA analyses contact lists from all major mail/OS services and collects the data. This is a case where they can just read the traffic without decryption effort. You would be extremely naive to think they aren't collecting data from this source gratefully already.

And the FBI exploited a bug in firefox to help them shut down Silk Road. ...so... And? This is a general vulnerability that the author is trying so hard to link with the NSA.

It's information that is freely farmable by such an organisation. Information they have no moral right to. These people have committed no crimes and there is no reason why an organisation such as the NSA should be able to farm personal information for no reason. There is plenty of proof of abuse of such power.

It does not makes a difference really if the government request to these companies the master key. And subpoena could be enough since the contact list is just a list of recipients that is going to fill the (To:____) field of your emails, and that is metadata. Remember that data about the content is not a private data.

If this is just about privacy , well , google is going to read your contacts and your emails anyways. Let alone more than 20 years of insecure communications in the internet, including but not limited to emails, until very recently

Morally on both counts, this is wrong. The government should never have the master key for an entire service because of proven track records of abusing such access. One such instance - http://dedroidify.blogspot.com.au/2013/ ... t-say.html. I am sure there are hundreds if not thousands of more examples. They should only *ever* have access to accounts of those who are proven by a court of law to have done wrong. At least there is a level of transparency there.

Google we grant access to read but not share. That is the risk we take with our private data. Maybe we might change after incidences such as this to a service that does not read our contact lists, scans our emails etc.

It's just as well I never used my Mac Address Book anyway, since I don't like the fact of having addresses lying around on my computer unencrypted - let alone uploaded to Google!

Instead I keep my addresses in a simple word document, which allows me to input information much more freely than most address book applications. I store that file in an encrypted folder and only unlock it after going offline. I have the same set of addresses in my Thunderbird profile, which again is in an encrypted folder in my Mac's Library folder.

Sorry to say, but uploading addresses to e-mail providers like Gmail and Yahoo, convenient as it may be, is just wrong. You are not only compromising your own privacy but also that of all your contacts. Anyway, a local client like Thunderbird still beats webmail for me.

That's nothing. I store all my contacts on scraps of paper that I proceed to shred 3 times. Retrieval takes a few days, but ain't nobody gonna get my contacts. Although the cleaning lady has disposed of my entire contact list a few times!

But no matter, my contacts are safe. I just hope the NSA doesn't figure out how to Google for Dominos, else my contact list will have been compromised.

It's just as well I never used my Mac Address Book anyway, since I don't like the fact of having addresses lying around on my computer unencrypted - let alone uploaded to Google!

Instead I keep my addresses in a simple word document, which allows me to input information much more freely than most address book applications. I store that file in an encrypted folder and only unlock it after going offline. I have the same set of addresses in my Thunderbird profile, which again is in an encrypted folder in my Mac's Library folder.

Sorry to say, but uploading addresses to e-mail providers like Gmail and Yahoo, convenient as it may be, is just wrong. You are not only compromising your own privacy but also that of all your contacts. Anyway, a local client like Thunderbird still beats webmail for me.

Seems like pretty hard-core security about who you might send email to, far better than the security essentially everybody has about who they actually send email to.

But as for convenience? Can't get much easier than just starting to type a person's name or address in your “To:” field, and having your Mac complete it for you. And every one of those address book entries has all the free-form space I've ever wanted… I don't suppose you've actually bumped into a limit into using it as a free-form database.

Seems like pretty hard-core security about who you might send email to, far better than the security essentially everybody has about who they actually send email to.

But as for convenience? Can't get much easier than just starting to type a person's name or address in your “To:” field, and having your Mac complete it for you. And every one of those address book entries has all the free-form space I've ever wanted… I don't suppose you've actually bumped into a limit into using it as a free-form database.

I'm afraid you're right, the real problem is, of course, that e-mails themselves are unencrypted, since most people don't have PGP or GPG set up.

As for convenience, my setup is just as good. When I start to type an e-mail in the "To:" field, Thunderbird completes it for me from the Thunderbird address book.

Seems like pretty hard-core security about who you might send email to, far better than the security essentially everybody has about who they actually send email to.

But as for convenience? Can't get much easier than just starting to type a person's name or address in your “To:” field, and having your Mac complete it for you. And every one of those address book entries has all the free-form space I've ever wanted… I don't suppose you've actually bumped into a limit into using it as a free-form database.

I'm afraid you're right, the real problem is, of course, that e-mails themselves are unencrypted, since most people don't have PGP or GPG set up.

Here's a friendly reminder about security…

While I don't buy the “if you have nothing to hide…” argument, I think the converse is true. Assuming you're not a raving paranoid ( you don't sound as if) or somebody with too much time on his hands, the fact that you devote many of your brain cells' too-few hours on the planet on such security measures certainly could suggest that you *DO* have something that some Official Security type might entertain himself finding about.

You might look for a more anonymous way of talking about the security of your digital resources.

...the fact that you devote many of your brain cells' too-few hours on the planet on such security measures certainly could suggest that you *DO* have something that some Official Security type might entertain himself finding about.

Actually, I don't, I'm just a bit of a hobby geek ;-)

That said, if many people use encryption even if they have "nothing to hide", that's going to help protect those who DO have something to hide, like investigative journalists, since it makes it harder for the authorities to determine their targets.

Does it matter if it's encrypted or not? Don't the big name corps hand over data anyways? Glad I'm hosting my own Calendar and Address Books server. On the search for secure email. Great post, keep the crypto related info coming.

Given that Gmail will quite happily hand over the entire address book to the NSA anyway, I fail to see the extra privacy 'harm' caused by this.

The main problem is you don't need to be the NSA to pop Kisemt in that Starbucks and sniff out all Address Book traffic around. After that it will be much easier to make a targeted social engineering attack against people in that Address Book.

It's like to say "As the NSA can pick my house's door I won't lock it anymore".